FEBRUARY SCREENING COMPLIANCE UPDATE
Can a Company Ask Employees If They Are Vaccinated and Can it be an Employment Requirement?
The Centers for Disease Control and Prevention (CDC) no longer requires mandatory mask-wearing or social distancing for vaccinated people. However, if state or local laws contradict the CDC, then these laws take precedence.
Asking staff about their vaccination status is vital to ensure the safety of your employees and your customers, but there are significant privacy rules to consider. An employee’s vaccination status is private health information, but it is also a determination of whether they need to wear a mask and socially distance at work.
Here are a few commonly asked questions by employers:
Can I ask my employees if they are vaccinated? Employers are allowed to ask their employees about their vaccination status.
Is asking a violation of the Health Information Portability and Accountability Act (HIPAA)? No, because HIPAA establishes restrictions on sharing information, not asking. The Equal Employment Opportunity Commission (EEOC) has explicitly said that employers can ask their employees about their vaccination status.
Is asking a violation of the Americans with Disabilities Act (ADA) or the Genetic Information Nondiscrimination Act (GINA)? It can be if you aren’t careful. To avoid violating the ADA or GINA, you should limit your inquiry to only the employee’s vaccination status, avoid any follow-up questions, and inform your employees not to provide additional medical information. You should also maintain your employee’s confidentiality.
Can I ask my employee for proof of vaccination? Yes, you can. The EEOC allows you to obtain proof of receipt of COVID-19 vaccination from your employees, and it’s likely that you can also request a copy of their vaccination card or documentation of their vaccination status.
How can I maintain my employee’s privacy? Limit who has access to your employee’s vaccination status as much as possible. Also, limit the use of this information: only use it to determine which employees are required to wear a mask, socially distance, and quarantine after exposure to COVID-19.
Can you be fired for refusing to get vaccinated against COVID-19?
The EEOC has made clear that individuals can be required to take the vaccine as a term and condition of employment. That is subject to requests for accommodation based on medical reasons or sincerely held religious beliefs.
Can an employer require vaccination before hiring?
Employers may require that new hires be vaccinated by the first day of work, provided they accommodate those who can’t receive the vaccine for disability- or religious-based reasons,
Can an employer ask candidates if they have COVID-19 symptoms?
Yes, an employer can ask candidates if they currently have COVID-19 or COVID-19 symptoms. If the employer screens everyone who comes on its campus for COVID-19, then someone coming in for a job interview can also go through the screening process. But it is not a good idea to ask screening questions or COVID-19 status for someone who is not coming into the workplace. CLICK HERE to learn more.
Employee Social Media Complaints: Employers Beware
The National Labor Relations Board’s new general counsel, the top prosecutor who oversees all regional offices, had previously signaled an intention to expand the types of employee conduct that might qualify as protected, concerted activity.
A recent advice memorandum from the general counsel’s Division of Advice doubles down on that approach. The Division of Advice memo recommended that Region 10 in Georgia file a complaint over an employee’s termination that had followed workplace complaints raised on Facebook. In doing so, the Division of Advice pushed for the same expanded definition of protected, concerted activity.
At issue was an employee of a medical practice who posted a meme on Facebook that blamed bad management for employee attrition issues. Two other employees commented on the post, one with a supportive message and the other with a supportive emoticon. The next day, the employee who was the original poster was terminated for alleged patient complaints.
Generally, to be protected under Section 7 of the National Labor Relations Act, employee conduct must be both “concerted” and “for the purpose of . . . mutual aid or protection.” The manner in which an employee’s actions are linked to those of their coworkers determines whether the employee’s activity is concerted.
The Division of Advice opined that the Facebook post was protected because it complained of a workplace issue and “elicited support from coworkers over these management practices and employee attrition—issues that had been topics of concern for the employees.”
But more troubling, the Division of Advice took the position that the post was also “inherently concerted activity,” an argument that purports to expand protected activity by finding that even activity not calling for group action or “mutual aid or protection” can be protected if it discusses “vital categories of workplace life such as wages, scheduling, or job security.”
In addition, the Division of Advice took the position that even if unprotected, the employer’s action in terminating the employee was still unlawful as a “‘preemptive strike’ against future protected concerted activity.” In short, the employer violated the act by terminating the employee so that other employees would not engage in similar activity.
The advice memorandum shows how far the current general counsel is willing to go to advocate for a broader view of protected, concerted activity. Both unionized and non-union employers should consider this decision when taking disciplinary action where conduct is arguably protected, concerted activity, due to the current activist approach taken by the general counsel. CLICK HERE
New COVID Guidelines Unmasked, But Employers Are Still Subject to Cal/OSHA and Local Orders
On February 7th, the California Department of Public Health (“CDPH”) issued a new “Guidance for the Use of Face Masks.” The new Guidance, which goes into effect at the state level on February 16, 2022, limits the settings in which universal masking will be required and also relaxes mask requirements for fully vaccinated individuals in many recreational and non-employment settings, such as dining, shopping, entertainment and sports venues, and more. Under the relaxed guidelines, vaccinated and unvaccinated individuals must still use masks on public transit and in transportation hubs; indoor schools (K-12) and childcare; emergency shelters and cooling and heating centers; healthcare settings; state and local correctional facilities and detention centers; homeless shelters; and long term care settings and adult and senior care facilities. Vaccinated individuals are still urged to wear masks in “high risk” situations.
We have already received inquiries from many clients regarding how the new guidelines affect mask requirements in the workplace.
Unfortunately, the relaxation of requirements at the state level does not give employers and employees as much freedom as they might like. Local governments are still allowed to issue more stringent indoor masking requirements than those issued by the state. According to various news sources, Los Angeles County’s health officials have expressed their intent to keep their guidelines in place beyond the state deadline.
Furthermore, as the LA County guidance reminds us, “in the workplace, workers must follow the most protective mask requirements as stated by Cal/OSHA and the County Health Officer Order. Certain employees may be exempt from wearing a mask in specific situations provided alternative safety measures are in place. See the Health Officer Order and Best Practices for Businesses webpage for more details.”
Employers throughout the state should consult and continue to comply with the Cal/OSHA Revised Emergency Temporary Standards for information regarding mask requirements in the workplace. Similar to the revised CDPH guidance, Section 3205 of the General Industry Safety Orders (COVID Prevention) requires all employees who are not fully vaccinated to wear face coverings when indoors or in vehicles, subject to certain exceptions set forth in the Section. Sections 3205 and 3205.1 also require use of face coverings in certain situations when an employee has had a close contact or is returning to work following COVID-related quarantine or isolation.
As a reminder, the ETS does provide exemptions from wearing a face covering:
- When an employee is alone in a room or vehicle.
- While eating or drinking at the workplace, provided employees are at least six feet apart and outside air supply to the area, if indoors, has been maximized to the extent feasible.
- For employees wearing respirators required by the employer and used in compliance with section 5144.
- For employees who cannot wear face coverings due to a medical or mental health condition or disability, or who are hearing-impaired or communicating with a hearing-impaired person.
- When specific tasks cannot feasibly be performed with a face covering. This exception is limited to the time period in which such tasks are actually being performed.
Indiana Joins the Privacy Party by Introducing its Own Data Privacy Law
Before 2018, no state in the US had its own data privacy law. Since 2018, California, Virginia (effective January 1, 2023), and Colorado (effective July 1, 2023) have all enacted their own data privacy laws, seeking to protect consumers by giving them control over their personal information. Recently, Ohio introduced House Bill 376, “The Ohio Personal Privacy Act,” in July 2021, which does not have an effective date at this time. Now, Indiana has introduced Senate Bill 358 and is ready to join the ever-growing Privacy Party.
Introduced in January 2022, Senate Bill 358 sets forth numerous consumer data protection standards, including Indiana consumers’ rights to their personal data, the responsibilities on businesses and service providers (called “controllers” and “processors,” respectively) to protect such data, and the authority of the Indiana Attorney General to investigate and enforce violations of the new law. If the bill is passed, it will go into effect on January 1, 2025.
Interestingly, when Senate Bill 358 was introduced early last month, it mirrored the California Privacy Rights Act (CPRA) and even contained a private right of action –allowing aggrieved individuals to sue companies for violating the law. However, the bill was amended prior to passing the Senate, and now aligns more with the Virginia Consumer Data Protection Act (VCDPA). Under the Virginia law, only the attorney general can enforce penalties on businesses for violating the VCDPA. In other words, there is no private right of action. The most recent version of Senate Bill 358:
- Applies to controllers or processors that process the personal data of at least 100,000 consumers or processes the personal data of 25,000 consumers and derives 50% of its revenue from the sale of personal data;
- Does not contain a private right of action;
- Allows the Indiana Attorney General to initiate an action against controllers for any violations; and
- Provides Indiana resides with rights to their data, including: Access, Correction, Deletion, Portability, and Opting Out of Processing.
- CLICK HERE
Mississippi Enacts Medical Marijuana Law
Mississippi Governor Tate Reeves signed legislation legalizing medical cannabis on February 2, 2022. Known as the “Mississippi Medical Cannabis Act”, the law permits the use of medical cannabis to treat certain debilitating medical conditions including cancer, Parkinson’s disease, Huntington’s disease, muscular dystrophy, HIV/AIDS, hepatitis, ALS, Crohn’s disease, ulcerative colitis, sickle-cell anemia, Alzheimer’s disease, dementia, post-traumatic stress disorder, autism, cachexia or wasting syndrome, chronic pain, severe or intractable nausea, seizures, severe and persistent muscle spasms, among others. The law was effective immediately upon signing by the Governor, although medical cannabis will not become available for months.
Medical cannabis products will include cannabis flower, cannabis extracts, edible cannabis products, beverages, topical products, ointments, oils, tinctures and suppositories.
The medical cannabis law contains many favorable provisions for employers. Specifically:
- Employers are not required to permit or accommodate the medical use of medical cannabis, or to modify any job or working conditions or any employee who engages in the medical use of cannabis, or seeks to engage in the medical use of cannabis;
- Employers are not prohibited from refusing to hire, discharging, disciplining, or otherwise taking adverse employment action against an individual with respect to hiring, discharging, tenure, terms, conditions or privileges of employment as a result, in whole or in part, of that individual’s medical use of medical cannabis, regardless of the individual’s impairment or lack of impairment resulting from the medical use of medical cannabis;
- Employers are not prohibited from establishing or enforcing a drug testing policy;
- Employers may discipline employees who use medical cannabis in the workplace or who work while under the influence of medical cannabis.
- The law does not interfere with, impair or impede any federal requirements or regulations such as the U.S. Department of Transportation’s drug and alcohol testing regulations;
- The law does not permit, authorize or establish an individual’s right to commence or undertake any legal action against an employer for refusing to hire, discharging, disciplining or otherwise taking an adverse employment action against an individual with respect to hiring, discharging, tenure, terms, conditions or privileges or employment due to the individual’s medical use of medical cannabis;
- Employers and their workers’ compensation carriers are not required to pay for or to reimburse an individual for the costs associated with the medical use of cannabis;
- The law does not affect, alter or otherwise impact the workers’ compensation premium discount available to employers who establish a drug-free workplace program in accordance with Miss. Code Section 71-3-201 et seq.;
- The law does not affect, alter or otherwise impact an employer’s right to deny or establish legal defenses to the payment of workers’ compensation benefits to an employee on the basis of a positive drug test or refusal to submit to or cooperate with a drug test, as provided under Miss. Code Sections 71-3-7 and 71-3-121;
- The law does not authorize an individual to act with negligence, gross negligence, recklessness, in breach of any applicable professional or occupational standard of care, or to effect an intentional wrong, as a result, in whole or in part, of that individual’s medical use of medical cannabis;
- The law prohibits smoking and vaping medical cannabis in a public place or in a motor vehicle;
- The law prohibits operating, navigating, or being in actual physical control of any motor vehicle, aircraft, train, motor boat or other conveyance in a manner that would violate state or federal law as a result, in whole or in part, of that individual’s medical use of medical cannabis; and,
- The law does not create a private right of action by an employee against an employer.
Mississippi employers should review the law to determine whether any revisions to drug and alcohol testing policies or other workplace policies will be necessary. CLICK HERE.
Philadelphia and Montana Join List of Jurisdictions That Provide Protections for Recreational Marijuana Use
Philadelphia, PA and the state of Montana are two of the latest jurisdictions to add their names to the sprouting list of jurisdictions that protect not only medical use, but also recreational use of marijuana. These protections will undoubtedly usher in a new wave of test cases and compliance questions, particularly as many workplaces shift to remote models.
Philadelphia, PA Prohibits Pre-Employment Marijuana Drug Screening
Effective January 1, 2022, the City of Philadelphia now prohibits employers from requiring prospective employees to submit to testing for the presence of marijuana as a condition of employment. Philadelphia joins New York City and Nevada as jurisdictions with similar laws. Like it’s companion jurisdictions, Philadelphia’s ordinance operates as a near blanket ban on marijuana drug tests, but there are carve outs to the rule. These include exceptions for those applying to work as 1) police officers or law enforcement positions; 2) positions requiring a commercial driver’s license; 3) positions requiring the supervision of medical patients, children, disabled or other vulnerable individuals; 4) or any other position in which the employee could “significantly impact the health and safety of other employees or members of the public.” The law also makes an exception for drug testing that is required by federal contracts or collective bargaining agreements.
More details will be available after the Philadelphia Commission on Human Relations issues implementing guidance, which is not yet available.
Montana Joins List of States that Will Protect Lawful Off-Duty Use of Marijuana
Montana HB 701, effective since January 1, 2022, amended the state’s lawful off-duty conduct statute to include marijuana as a lawful product. This means that employers cannot deny job candidates or discriminate against current employees because of their legal use of marijuana during non-working hours. The prohibition includes all manner of employment actions, including hiring decisions, compensation, promotion, and the terms, conditions, and privileges of employment.
Nothing in HB 701, however, prevents a Montana employer from taking adverse action against an employee if that employee is intoxicated at work. The law only protects lawful “off-duty” conduct.
Approximately twenty-nine states have similar statutes that protect employees’ participation in “lawful activities,” but Montana is among a small list that specifically labels marijuana as a protected lawful activity. For states that do not specify marijuana as a lawful activity, it is less clear if the general statute would protect a marijuana user, even if recreational marijuana was legalized. Colorado, for example, has a lawful activity statute but the Colorado Supreme Court held that the statute does not protect recreational marijuana users because, although legal at the state level, recreational marijuana use is still illegal under federal law.
Although Montana is one of the first states to specifically include marijuana as part of its “lawful activity” statute, other states have provided the same or similar protection to recreational marijuana users through passage of anti-discrimination laws. These include New York, Connecticut, and New Jersey. And approximately seventeen states protect medical marijuana users from varying degrees of discrimination in the workplace. These include Maine, Vermont, New Hampshire, Massachusetts, Rhode Island, Pennsylvania, Maryland, Virginia, West Virginia, Delaware, Illinois, Minnesota, South Dakota, Oklahoma, Arkansas, New Mexico, and Arizona.
Remote Workplace Concerns
Nearly all statutes that provide protections for medical or recreational use of marijuana draw a line between on-duty impairment and off-duty use. While the former is prohibited, the latter is not. For hourly employees that work on employer facilities, the distinction is easy to follow. But for exempt employees or remote workers, the line between on duty and off duty work is not as easily tracked.
The New York Department of Labor specifically remarks in its guidance that although an employee’s private residence is not a “worksite,” an employer may take action if the employee is exhibiting “articulable symptoms of impairment during work hours and may institute a general policy prohibiting use during working hours.” Accordingly, employers should make their written policies clear that prohibitions on use are not dependent upon employee location, but rather whether the employee is engaged in work. CLICK HERE.
New York City to Require Employers List Salary Ranges in Job Advertisements
On May 15, 2022, employers will have to officially contend with New York City’s recently enacted salary transparency law. The Big Apple joins a growing list of jurisdictions – California, Colorado, Connecticut, Maryland, Nevada, and Washington, among them – to pass a pay transparency law, although the obligations of covered employers vary slightly across jurisdictions. Proponents extol transparency in pay for its push to narrow the gender pay gap and combat other potential discrimination, while opponents lament the potential compliance burden employers may face. Here is everything we know about the law so far.
What Does the Law Require?
The law requires employers to state the minimum and maximum salary offered for any advertised job, promotion, or transfer opportunity. The stated salary range may be based on the highest and lowest salary that the employer “in good faith believes” it would pay for the advertised position at the time of its posting.
This disclosure requirement applies to external job advertisements as well as internal promotion or transfer opportunities. Failure to include the required salary range will constitute an unlawful discriminatory practice under the New York City Human Rights Law.
Who is Subject to These Disclosure Requirements?
The law applies to any employer or employment agency with four or more employees in New York City. For purposes of this law, independent contractors working in furtherance of an employer’s business count toward this four-employee threshold. Agents and employees of covered employers are also subject to the law’s disclosure requirements.
Are There Any Exceptions?
Temporary positions advertised by temporary help firms are exempt from the law’s otherwise broad ambit.
Next Steps for Employers?
The New York City Commission on Human Rights is expected to clarify the obligations of covered employers through the issuance of guidance and regulations prior to the law’s effective date. In the meantime, employers can start to prepare by conducting an internal review of their company’s pay policies and current employee salaries. CLICK HERE.
New York Passes Two Laws Protecting Employee Privacy
The city and state governments of New York each recently passed laws to protect employee privacy – one law addressing use of automated decision-making tools in job interviews and promotions, and the other addressing electronic monitoring of employee communications.
Automated decision tools in hiring
New York City passed legislation to address the use of automated decision tools in hiring and promotion decisions. Starting January 2, 2023, the law will require employers or employment agencies in New York City to complete a bias audit before using an automated employment decision tool to screen job candidates or evaluate employees for promotions.
This law is part of a growing effort to prevent bias when using automated employment decision tools. Similar legislation has been passed in Illinois and Maryland, where employers that rely on artificial intelligence or facial recognition technology to analyze a job candidate’s video interview are required to first provide notice and obtain consent. In addition, the US Equal Employment Opportunity Commission launched an initiative in October 2021 to gather information about the use and impact of employment-related technologies and issue technical guidance on algorithmic fairness.
What is an automated employment decision tool?
Under the new law, a tool will be classified as an “automated employment decision tool” if a computational process – derived from machine learning, statistical monitoring, data analytics or artificial intelligence – issues a score, classification or recommendation that is used to either substantially assist or replace discretionary decision-making in hiring decisions. In practice, this likely will apply to any software or algorithm used to screen and sort job candidates and employees, including those used to select résumés, sort skills, rank candidates or evaluate any other objective candidate characteristic. It will also apply to employee productivity and performance assessment tools, monitoring software, and compensation-analysis platforms.
What do employers and employment agencies need to do?
The law imposes certain notice obligations when dealing with job candidates and employees who reside in New York City. At least 10 business days before the tool is used, candidates or employees must be notified of the following:
- An automated employment decision tool is being used as part of the evaluation, and the candidate or employee has the right to request an alternative selection process or accommodation.
- The tool will reference a specified list of job qualifications and characteristics in assessing the candidate or employee.
- Within 30 days of a candidate’s or employee’s written request, an employer or agency must provide information about the types of data collected for the tool, the source of the data and the data retention policy. Alternatively, this information may be posted on the employer’s or agency’s website.
In addition, employers must arrange for an independent bias audit of any automated employment decision tool no more than one year prior to the use of the tool to assess the tool’s disparate impact on individuals in any federal EEO-1 “Component 1 category” (i.e., whether the tool would have a disparate impact on individuals based on their race, ethnicity or sex). A summary of the most recent audit, as well as the distribution date of the tool to which the audit applies, must be available on the employer’s or agency’s website prior to use.
What are the penalties for violating the law?
The first violation will result in a civil penalty of no more than $500. Each use of the tool on the same day as the first violation will be treated as a new violation with a penalty of no more than $500. All subsequent violations have a civil penalty of at least $500 and no more than $1,500. Each day the tool is used in violation of the law is treated as a separate violation.
Additionally, each failure to provide any of the three notice requirements will be treated as a separate violation.
Employee electronic monitoring
The state of New York passed legislation to address the electronic monitoring of employee communications. Starting May 7, 2022, the law will require employers with a place of business in New York state who engage in electronic monitoring of employee communications to notify employees of such monitoring.
What forms of communication does it apply to?
The law covers the monitoring of employees’ telephone communications, email, or internet access or usage by any electronic device or system. The law does not apply to monitoring that is solely for the purpose of maintenance or protection.
What do employers need to do?
Employers must provide prior written notice of such monitoring upon hiring of any employee. The notice must explain that all phone conversations or transmissions, email or transmissions, or internet access or usage by an employee through any electronic device or system is monitored. The written notice should be in an electronic form and acknowledged by the employee in writing or electronically. Additionally, the notice must be posted in a prominent and viewable area.
What are the penalties for violating the law?
Employers will receive a civil penalty of $500 for a first-time violation. Subsequent violations will result in higher penalties: $1,000 for a second violation and $3,000 for a third violation. CLICK HERE.
What Employers Should Know About the New California Privacy Law
Beginning January 1, 2023, companies with employees or contractors in California may need to comply with a new, robust data privacy law. In 2020, California voters approved the California Privacy Rights Act (CPRA), which modified the existing California Consumer Privacy Act (CCPA), broadening its obligations from consumer information to employment data (among other changes).
If your business is subject to the CCPA/CPRA and has employees or contractors in California, the next few months are critical to prepare for compliance.
Who Is Subject to the CPRA?
Companies will have obligations related to employment data under the CPRA if they (1) meet the jurisdictional scope of the law and (2) have any employees or contractors in California, even if their business is not headquartered in the state.
A business falls within the jurisdictional scope of the CPRA if it meets at least one of the following thresholds:
- (a) Had annual gross revenue above $25 million in the previous calendar year; or
- (b) Annually collects, stores, analyzes, discloses, or otherwise uses (“processes”) the personal information of 100,000 or more California residents or households; or
- (c) Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents.
Because at least one of these criteria must apply—but not all of them—smaller businesses may be nonetheless within the scope of the CPRA if they have any California employees.
What Is “Personal Information” Under the CPRA?
The CPRA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes not only name and email address but also any data points that can be connected to someone, such as an IP address, metadata and usage data, photos, audio, and video recordings, professional and employment information, and inferences about them. Generally speaking, the contents of job applications, employee personnel records, employee tracking, and employee communications are all “personal information” under the CPRA.
A business that satisfies the jurisdictional scope must comply with CPRA’s obligations in relation to the personal information collected in the employment context about its California employees. This includes personal information collected about a job candidate, employee, owner, director, officer, medical staff member, or independent contractor in the context of that person’s role. Information about emergency contacts and beneficiaries is also “personal information” under the CPRA.
What Are Employers’ CPRA Obligations?
There are three major categories of compliance for employers: notice, employee rights, and data governance. Companies subject to the CPRA will be required to comply with largely the same obligations they already have for their consumers’ data under the CCPA.
Employees, job candidates, and contractors will have several rights in relation to the collection and use of their personal information, subject to exceptions. They can:
- Access the specific pieces of personal information an employer holds about them (including any profiles or inferences) that were generated on or after January 1, 2022;
- Correctinaccurate personal information;
- Deletepersonal information collected from them (subject to certain exceptions, including to comply with a legal obligation);
- Restrictthe use of their sensitive personal information (such as their financial information, social security numbers, communications content, health information, and biometrics) to specific business purposes or limited disclosures; and
- Opt outof the sale of personal information to third parties (i.e., disclosure for monetary or other compensation where there is not a written agreement restricting the other party’s use of the data).
If an employer receives a request from an employee, contractor, or job candidate to exercise one of these rights, the employer will be required to honor the request within 45 days (with a one-time, 45-day extension available), unless an exception applies.
Businesses must implement certain data governance measures internally, such as creating a records retention schedule, using personal information only for the purpose the company has disclosed, and keeping personal information only as long as necessary for the purposes of retention.
How Do Employers Build for Compliance?
Employers can take proactive steps now to prepare for 2023.
The first step in building a privacy program is to understand what personal information about employees, job candidates, and contractors your business has collected; where it is stored; for what purposes it is collected and used; and to whom it is disclosed.
If you have already completed data mapping for the General Data Protection Regulation (GDPR) or CCPA compliance in relation to consumer data, this is effectively the same exercise for employee, contractor, and job candidate data. Creating a data map or inventory will enable your business to make accurate representations in your privacy notice, fulfill rights requests, and honor retention and other data governance policies.
Based on the data mapping exercise, a privacy notice should be prepared for each subset of California individuals (employee, contractor, and job candidate) who meet the CCPA and CPRA specifications.
Starting January 1, 2023, employees, job candidates, and contractors may submit access, deletion, correction, restricted processing, and opt-out requests.
Businesses should develop mechanisms for accepting these requests (e.g., through a webform, email address, and/or phone number where the employee can submit the request), analyze the application of legal exceptions to rights (e.g., what information are employers not required to delete in response to a deletion request), and create procedures for honoring requests and notifying employees, job candidates, and contractors of the actions taken (or not taken under an exception).
As processes for rights requests are developed, the employees who are responsible for responding to requests must undergo training about the CPRA and the rights procedures. For most companies, this will likely be human resources representatives in collaboration with technology specialists.
The CPRA requires that businesses have certain terms in their agreements with “service providers,” or entities that receive and use personal information in order to perform services for the business (e.g., payroll providers, background check companies, and other entities who assist the business with its human resources functions).
These agreements must, among other things, restrict service providers’ use of personal information to the purpose of providing that specific service to the business. Businesses should review their agreements with third parties to confirm it is a “service provider” relationship and the agreement has the requisite terms.
The California Privacy Protection Agency (CPPA) is preparing regulations to implement the CPRA. Businesses should also be attentive to these regulations, as they may add additional clarity, nuance, or specifications to compliance. Regulations are due to be issued July 1, 2022. Stay tuned for more information.
What Are the Consequences for Non-compliance?
The California Attorney General and the CPPA will enforce the CPRA; enforcement will begin July 1, 2023, after a 6-month grace period to come into compliance. Businesses that are alleged to have violated the CPRA will have a 30-day “cure” period in which to fix violations and thus avoid civil penalties.
Uncured violations may result in civil penalties of up to $7,500 per violation. CLICK HERE
What’s New with Cannabis Compliance in Wisconsin? The Legal, The Illegal, and the Gray Area for Wisconsin Employers
The Wisconsin legislature appears poised to reject a proposal to create a medical marijuana program this legislative session, just a month after the Senate shot down a proposal to legalize marijuana for recreational use. Although Wisconsin’s neighbors Michigan, Illinois, and Minnesota have decriminalized marijuana for at least some uses, the Wisconsin legislature has traditionally been resistant to marijuana reform and lawmakers told Wisconsin Public Radio that they do not expect the latest measure to survive. But marijuana products proliferate in the state in forms legal, illegal, and ambiguous. The often-murky legal status of various products implicates a number of important legal issues for Wisconsin employers, including disability accommodation, drug testing, and workplace health and safety. In this very dynamic area of law where new state and local rules are popping up like weeds, employers should consider the overlapping network of federal, state, and local regulations that vary according to the location of an increasingly mobile workforce.
“It was legal where I did it!”
Wisconsinites have proven more than willing to cross the border to neighboring states for a visit to a retail outlet. The practice is so widespread that last year Wisconsin Governor Tony Evers quipped in a video posted to Twitter, “Frankly I’m kind of tired of talking to the governor from Illinois. Whenever I get with him, he thanks me for having Wisconsinites cross the border to buy marijuana.” Although marijuana is illegal to use or possess at the federal level under the Controlled Substances Act, the impact of decriminalization by nearby states has wafted right past state boundaries. As a result, employers may be faced with scenarios in which an employee spends the weekend in Chicago, comes back to work on Monday, and tests positive on a random drug screen.
Since the Wisconsin Fair Employment Act prohibits discrimination on the basis of an employee’s use or nonuse of lawful products off the employer’s premises during nonworking hours, is an employer required to tolerate drug use during non-working hours, as long as the employees bother to take a road trip across state lines? No; a statutory exception to the non-discrimination provision provides that the use of lawful products is not protected if it conflicts with any federal law. The Wisconsin Department of Workforce Development has taken the position that Wisconsin employers have the right to terminate an employee for use of marijuana products that are unlawful under federal law. However, any drug-testing program should still be evaluated for compliance with state wage and hour law (including Wisconsin’s law prohibiting employers from requiring employees or candidates to pay the cost of a required medical examination, including drug testing), the Americans with Disabilities Act, privacy regulations, Department of Transportation or industry-specific regulations, and the federal and state Drug-Free Workplace Act.
It’s not just brownies anymore
Cannabidiol (CBD) products, including gummies, oils, creams, chocolates, and even beer, proliferate in Wisconsin. Under the Agricultural Act of 2018 (sometimes called the “2018 Farm Bill”), hemp and hemp products (including CBD oil extracted from hemp plants) are not controlled substances, provided that they are grown pursuant to a federal or state-approved plan and contain less than .3% delta-9-THC, the main cannabinoid responsible for the “high” of marijuana. The 2018 law followed the Agricultural Act of 2014 (“2014 Farm Bill”), which permitted hemp pilot projects, including one in Wisconsin. Last month, Wisconsin turned its state-approved plan over to the USDA, becoming one of the first states to do so. Because CBD products are legal at the federal level, Wisconsin employers should craft their drug policies in light of Wisconsin law protecting employee off-work use of lawful products while also ensuring compliance with federal regulations and communicating to workers that the use of lawful CBD products will not excuse a positive drug test for marijuana.
Delta-8: A legal high?
Although federal law limits the presence of delta-9-THC to just .3% of legal CBD products, it does not restrict the presence of delta-8-THC, a cannabinoid cousin to delta-9 that can also produce a “high.” Although delta-8 is present in hemp plants only in very small quantities, CBD can be synthetically converted to delta-8. States like Wisconsin that have legal hemp programs but prohibit use and possession of marijuana have seen a rapid increase in the sale and use of delta-8. The legal status of delta-8 is uncertain although last fall the DEA signaled in an advice letter that it regards delta-8 as exempted from the Controlled Substances Act pursuant to the 2018 Farm Bill. At the same time, the Food and Drug Administration has warned against the effects of delta-8-THC, a common predicate to agency regulation. Although 18 states have restricted or banned delta-8 in some way as of December 2021, including marijuana-friendly states like Colorado and Washington, at present Wisconsin is not considering any similar legislation—and the substance is being openly sold in mints, vape pens, food, and beauty products in stores across Wisconsin. Delta-8 poses a challenge for employers because it produces the same byproducts as those measured by screening drug tests for the federally banned delta-8-THC, so employees may test positive after using products openly sold at the corner store, although they should test negative on a confirmatory test using gas chromatography/mass spectroscopy (GC/MS).
Absenteeism, industrial accidents, and injuries
Recognizing the signs of impairment is particularly important because operational, health and safety risks also inhere to delta-8. The United States National Institute on Drug Abuse, a department of the National Institutes of Health, published research from the Journal of the American Medical Association demonstrating that employees who tested positive for marijuana on pre-employment drug screenings went on to have 55% more industrial accidents, 85% more injuries, and 75% greater absenteeism during employment as compared to those who tested negative. Delta-8 is of particular concern because it is a synthetic unregulated product; the federal Food and Drug Administration has cautioned that adverse effects associated with consumption of delta-8 may include vomiting, hallucinations, trouble standing, and even loss of consciousness. Workplace safety is a key issue for all employers, and delta-8 presents unique safety challenges. Particularly for employers who have workers in safety-sensitive positions in the healthcare, manufacturing, construction, transportation, utilities, and warehousing industries, delta-8 use by employees poses significant workplace safety risks. Because delta-8 users may come to work impaired after using delta-8 but won’t fail a drug test, managers should be trained to recognize the signs of impairment and address them from a behavior and performance perspective, instead of relying solely on a drug test.
Employers should closely review their existing workplace drug policies and make adjustment to their internal policies and procedures as appropriate. General strategies for compliance include:
- Auditing existing drug and alcohol policies, drug testing policies, and workplace safety policies.
- Educating employees and managers on the risks and symptoms of using unregulated cannabis products.
- Tracking legal developments in jurisdictions in which employers recruit or employ workers.
- Working with counsel to ensure drug-free workplace policies analyze the interplay between the evolving cannabis laws and other areas of law including discrimination, wage and hour, and regulatory compliance.
- CLICK HERE
New Jersey Employers Will be Required to Provide Notice Before Making Use of Tracking Devices in Vehicles Used by Employees
Some employers have historically used tracking devices on vehicles for various business purposes. As of April 18, 2022, New Jersey will require employers, before they make use of a tracking device on an employee-operated vehicle, to notify the employee. An Act Prohibiting Certain Employer Use of Tracking Devices, Assembly Bill No. 3950 (the “Act”), which was signed into law by New Jersey Governor Phil Murphy on January 18, 2022, will apply to all private employers in New Jersey. The Act defines a “tracking device” as an “electronic or mechanical device which is designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person or device,” but does not include “devices used for the purpose of documenting employee expense reimbursement.” Importantly, the Act does not distinguish between employee-owned and employer-owned vehicles, but focuses instead on whether the vehicle is operated by an employee for business purposes.
Under the Act, employers may not “knowingly” make “use of a tracking device on a vehicle used by an employee” without providing written notice to the employee. The Act explicitly does not supersede regulations governing interstate commerce, including but not limited to “usage of electronic communications devices as mandated by the Federal Motor Carrier Safety Administration.”
An employer that violates the Act is subject to a civil penalty of up to $1,000 for the first violation and up to $2,500 for each subsequent violation.
Employers in New Jersey that employ individuals who use vehicles should prepare to comply with the Act prior to April 18, 2022. Specifically, New Jersey employers should identify tracking devices as defined under the Act that are deployed on vehicles used by employees, whether they or the employee own or lease those vehicles. Written notice should then be provided to employees who use those vehicles before they are assigned or otherwise permitted to do so. Similarly, such written notice must be provided to new employees before they are assigned to or otherwise use these vehicles. CLICK HERE.
International Data Transfer Agreement and Guidance
On 2 February 2022, the Secretary of State laid before Parliament the international data transfer agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions. This final step follows the consultation the ICO ran in 2021. The documents are issued under Section 119A of the Data Protection Act 2018.
If no objections are raised, they come into force on 21 March 2022. Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replace the current standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.
These documents are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval:
- International data transfer agreement (PDF)
- International data transfer agreement (Word document)
- International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (PDF)
- International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Word document)
- Transitional provisions
The IDTA and Addendum form part of the wider UK package to assist international transfers. This includes independently supporting the Government’s approach to adequacy assessments of third countries.
We consulted on our approach to international transfers under UK GDPR from 11 August 2021 to 11 October 2021. When finalising the documents we considered the detailed responses we received and will be publishing these soon.
In our Guide to UK GDPR we have added clarification as to what is a restricted transfer. We are developing additional tools to provide support and guidance to organisations. These will be published soon.
- Clause by clause guidance to the IDTA and Addendum.
- Guidance on how to use the IDTA.
- Guidance on transfer risk assessments.
- Further clarifications on our international transfers guidance.
- CLICK HERE
On February 2, 2022, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €250,000 fine against the Interactive Advertising Bureau Europe (“IAB Europe”) for several alleged infringements of the EU General Data Protection Regulation (the “GDPR”), following an investigation into IAB Europe Transparency and Consent Framework (“TCF”).
The Belgian DPA started an investigation into IAB Europe after receiving several complaints since 2019 regarding the TCF.
The Belgian DPA’s Decision
In the context of the Belgian DPA’s investigation, IAB Europe asserted that it does not act as a data controller for its collection of users’ consents, objections and preferences through the TCF, as the ad tech vendors following the OpenRTB protocol (the “participating organizations”) determine the purposes of processing, without IAB Europe’s intervention. The Belgian DPA rejected this argument and found that IAB Europe acts as a data controller with respect to the TCF and therefore can be held responsible for violations of the GDPR.
Key points from the Belgian DPA’s decisions are summarized below:
- Lawfulness. The Belgian DPA found that IAB Europe does not have a legal basis for the processing of personal data through the TCF. IAB Europe also failed to demonstrate that it has an adequate legal basis for the sharing and subsequent processing of the data by the participating organizations. Particularly, the Belgian DPA held that the participating organizations’ legitimate interests in conducting targeted advertising and user profiling are outweighed by the website and app users’ interests in the protection of their fundamental rights and freedoms.
- Transparency. The Belgian DPA also held that IAB Europe does not meet the GDPR’s transparency standards because the information IAB Europe provides through the consent management tool is too generic and vague, particularly in light of the complexity of the TCF.
- Accountability, Security, and Data Protection by Design and By Default. According to the Belgian DPA, IAB Europe failed to demonstrate that appropriate technical and organizational measures are in place to ensure the effective exercise of website and app users’ rights, and to monitor the validity and integrity of users’ choices. The Belgian DPA’s investigation also revealed that IAB Europe allegedly failed to maintain a register of its data processing activities (in line with Article 30 of the GDPR), to appoint a data protection officer and to conduct a data protection impact assessment with respect to the TCF.
The Belgian DPA imposed an administrative fine of €250,000 on IAB Europe. In doing so, the Belgian DPA considered that the TCF may result in large groups of individuals losing control over their personal data. In addition to a monetary fine, the Belgian DPA required IAB Europe to, among other things:
- Establish a valid legal basis for the processing and sharing of website and app users’ preferences in the context of the TCF and ensure appropriate transparency;
- Prohibit participating organizations from relying on the legitimate interests legal basis for their data processing activities;
- Permanently delete personal data already processed in the context of the TCF from all its systems and its processors’ systems; and
- Audit participating organizations to ensure they comply with the GDPR.
IAB Europe has two months to present the Belgian DPA with an action plan to implement these corrective measures.
One Stop Shop
In November 2021, the Belgian DPA, acting as the lead supervisory authority for this investigation, provided its draft decision to the other 27 concerned EU supervisory authorities, as required by the GDPR cooperation mechanism (Article 60 of the GDPR). As part of this process, two objections were raised, and the Belgian DPA incorporated those objections in its final decision of February 2, 2022, which was approved by all concerned authorities.
The Belgian DPA’s decision can be appealed within 30 days after its notification to the Market Court.
Read IAB Europe’s press release following the Belgian DPA decision.
France’s privacy watchdog latest to find Google Analytics breaches GDPR
Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.
The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.
The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse. Whereas the EU’s GDPR demands that data protection travels with citizens’ information as a stipulation of legal export. France’s CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 — after the bloc’s top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then the legality of transatlantic transfers of personal data have been clouded in uncertainty.
While it has taken EU regulators some time to act on illegal data transfers — despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka ‘Schrems II) — decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics.
In France, the CNIL has ordered the website which was the target of one of noyb’s complaints to comply with the GDPR — and “if necessary, to stop using this service under the current conditions” — giving it a deadline of one month to comply.
As in Austria, the CNIL’s assessment of Google’s claimed supplementary measures (which it had argued ensured EU citizens’ data which was taken, via Google Analytics, to the U.S. was adequately protected) found them to be inadequate.
“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL writes in a press release announcing the decision.
“There is therefore a risk for French website users who use this service and whose data is exported.”
The CNIL does leave open the door to continued use of Google Analytics — but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. (And the Austrian decision against Google Analytics last month took a broad interpretation of what constitutes personal data in this context, finding that an IP address could be enough given how it may be combined with other bits of data held by Google to identify a site user.)
The French regulator is also very emphatic that under “current conditions” use of Google Analytics is non-compliant — and may therefore need to cease in order for the site in question to comply with the GDPR.
The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach.
Additionally, it says it’s launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.
The decision on this complaint has clear implications for any website based in France that’s currently using Google Analytics — or, indeed, any other tools that transfer personal data to the U.S. without adequate supplementary measures — at least in the near term.
For one thing, the CNIL’s decision notes it has made “other” compliance orders to website operators using Google Analytics (again without naming any sites).
While, given joint working by EU regulators on these 101 strategic complaints, the ramifications likely scale EU-wide.
The CNIL also warns that its investigation — along with the parallel probes being undertaken by fellow EU regulators — extends to “other tools used by sites that result in the transfer of data of European Internet users to the United States”, adding: “Corrective measures in this respect may be adopted in the near future.” CLICK HERE
Austrian Data Protection Authority Finds Website Use of Google Analytics Violates GDPR
On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.). Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs).
The case was brought by an individual who visited NetDoktor’s website while logged into his Google account. Like countless other websites, NetDoktor allowed GA to place a cookie on the complainant’s device to track his activity. GA then assigned a unique identification number to his browser in order to keep track of what data belonged to the complainant. Google argued that this entire process is anonymous. GA employs IP masking technology and only generates aggregated, anonymous reports for its users. The DSB found, however, that the IP anonymization feature was not properly implemented, and GA’s unique identification numbers could be used to identify specific users. It was irrelevant that additional information may be required by Google to do so.
Further, NetDoktor’s reliance on outdated SCCs2 and supplementary data protection measures ― including further contractual, organizational and technical measures ― were deemed inadequate protections against possible U.S. government surveillance. This decision highlights the importance of making sure that there is adequate protection for cross-border data transfers, including against possible government access. It also emphasizes that organizations should understand what data they are collecting, whether directly or through vendors, where that data is being stored (particularly if cloud services are used), and whether measures to protect and anonymize data are effective. Notably, the dismissal of the complaint against Google as the processor of the data also provides guidance on the limitations of service provider or recipient liability for violations of the GDPR.
Other European privacy authorities are taking a closer look at GA as well. On January 26, 2022, the Norwegian Data Protection Authority (Datatilsynet) announced its support of the DSB’s decision and noted that the Datatilsynet was currently assessing the legality of GA in one of its own cases. The Danish Data Protection Agency has also announced that it would issue guidance based on the DSB’s ruling, emphasizing the need for uniform application of the GDPR across the European Economic Area (EEA). Finally, on February 10, 2022, the French data protection authority, Commission Nationale de l’Informatique et des Libertés, reached a similar decision when it ruled that GA data transfers to the U.S. “are illegal” under the GDPR.
Please check out our recent client alert for a more detailed analysis of the DSB’s decision and GDPR compliance insights.
- DSB (Austria) – 2021-0.586.257 (D155.027).
- These legacy SCCs were adopted by the European Commission in 2010, but have since been replaced by the current SCCs effective June 27, 2021. Companies who entered into data processing agreements before the latest SCCs came into effect have until December 27, 2022 to transition to the new SCCs.
U.S. Department of Commerce and European Commission Release Joint Press Statement
On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.
The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S.
While the statement does not detail what an enhanced EU-U.S. Privacy Shield Framework might look like, it indicates that an agreement on a new framework is a priority for both entities and could be announced sooner than previously anticipated. It remains to be seen how the new framework will seek to address the Court of Justice of the European Union’s concerns regarding the incompatibility of U.S. surveillance laws with the privacy protections afforded by the General Data Protection Regulation (GDPR).
The full U.S. Department of Commerce Press Statement may be viewed here, and the full European Commission Statement may be viewed here.
Department of Commerce Provides FAQs on EU-U.S. Privacy Shield Framework
The U.S. Department of Commerce has provided an update to the FAQs on the EU-U.S. Privacy Shield Framework in regards to the Schrems II decision. The updated FAQs include five questions that seek to address issues of concern for entities currently certified under the Privacy Shield Framework and entities who are considering applying for certification.
The updated FAQs provide the following guidance:
- The Privacy shield is not a valid mechanism of transfer when transferring personal data from the EEA to the U.S. The FAQs explicitly state that this does not relieve current participants of the program from their obligations under the Privacy Shield.
- Consistent with guidance from the European Data Protection Board, there is no grace period during which organizations can continue to use the Privacy Shield as a basis to transfer personal data to the U.S.
- Participants are advised to continue to abide by the Privacy Shield Framework to demonstrate a serious commitment to protect personal information and recourse for data subjects under the GDPR.
- Re-certification under the Privacy Shield and details of how the U.S. Department of Commerce will continue to process submissions and re-certifications is addressed.
- Withdrawal from the program is discussed, and the relevant links and information for entities that wish to do so are provided.
- CLICK HERE